b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                      Progress Has Been Made, but Additional\n                       Steps Are Needed to Ensure Taxpayer\n                         Accounts Are Monitored to Detect\n                         Unauthorized Employee Accesses\n\n\n\n                                           September 9, 2009\n\n                                Reference Number: 2009-20-119\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review\n process and information determined to be restricted from public release has been redacted from\n                                          this document.\n\n Redaction Legend:\n 3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                               DEPARTMENT OF THE TREASURY\n                                                     WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             September 9, 2009\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n                DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT\n                DEPUTY COMMISSIONER FOR SERVICES AND\n                ENFORCEMENT\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Progress Has Been Made, but Additional Steps\n                             Are Needed to Ensure Taxpayer Accounts Are Monitored to Detect\n                             Unauthorized Employee Accesses (Audit # 200820020)\n\n This report presents the results of our review to evaluate compliance by Internal Revenue Service\n (IRS) management and security staffs in reviewing and certifying Integrated Data Retrieval\n System (IDRS) 1 security reports, which are produced online by the IDRS Online Report Services\n (IORS) system, and assess whether corrective actions taken to address our prior audit findings 2\n were effective. This audit was part of the Treasury Inspector General for Tax Administration\n Fiscal Year 2008 Annual Audit Plan and was part of our statutory requirement to annually\n review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS requires managers of IDRS users to review and respond to IDRS security reports on the\n IORS system that present questionable accesses to the taxpayer accounts. While the national\n averages of certification and timeliness rates have improved, the IRS did not ensure that all IDRS\n business divisions were completing their responsibilities for reviewing and certifying IDRS\n security reports. Until additional improvements are made, the IRS cannot ensure that taxpayer\n\n\n 1\n   IRS computer system capable of retrieving or updating stored information; it works in conjunction with a\n taxpayer\xe2\x80\x99s account records.\n 2\n   Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\n Employee Accesses (Reference Number 2006-20-111, dated July 24, 2006).\n\x0c                    Progress Has Been Made, but Additional Steps Are Needed to\n                            Ensure Taxpayer Accounts Are Monitored to\n                             Detect Unauthorized Employee Accesses\n\n\naccounts on its primary tax account system are being properly protected from unauthorized\naccesses.\n\nSynopsis\nAbout 50,000 IRS employees access the IDRS to process taxpayer data during the course of their\nnormal work duties. Managers of IDRS users are required to review and certify IDRS security\nreports on the IORS system on a regular basis to ensure that employee accesses to the IDRS are\nfor valid work reasons. The IRS requires that managers maintain at least a 90 percent\ncertification rate.\nDuring Fiscal Year 2005, only 54 percent of IDRS security reports were certified. During this\nreview, we found that 89 percent of IDRS security reports were certified for Fiscal Year 2008.\nWe attribute this significant improvement to the Cybersecurity organization IDRS Security\nProgram staff\xe2\x80\x99s actions to improve and enhance the IORS system. The IDRS Security Program\nstaff corrected prior system problems that were hindering IDRS managers\xe2\x80\x99 ability to access\nIDRS security reports. For example, they implemented new systemic features, such as automatic\nemail messages to remind IDRS managers when certifications are due, a \xe2\x80\x9creport certification\ndue\xe2\x80\x9d box on IORS system report screens that displays any reports that have not been certified\nand highlights past due reports in red, and weekly reports for distribution by IDRS security\nofficers that list which IDRS managers have and have not completed certifications.\nWhile the national averages of certification and timeliness rates have improved, more needs to be\ndone to ensure that all taxpayer accounts are protected from unauthorized access. Of the total\n325,475 security reports requiring certification by IDRS managers in Fiscal Year 2008,\n36,493 (11 percent) were not reviewed and certified, potentially allowing improper accesses to\ngo undetected. The lack of reviews for 31,980 of these 36,493 reports can be attributed to\n816 IDRS managers who had not met the 90 percent certification rate requirement, which\nequates to almost 33 percent of all IDRS managers.\nThe IRS did not complete all corrective actions recommended in our prior review. Specifically,\nthe IRS did not implement effective compliance reviews to ensure IDRS business divisions 3\nwere complying with IDRS security report requirements. The IDRS Security Program staff did\nnot fully implement this recommendation because they had no means for enforcing IDRS\nbusiness divisions to comply with IDRS security report requirements.\nWe also recommended in our prior review that IDRS managers be held accountable for their\nsecurity report responsibilities. The IRS did not implement this recommendation because the\n\n\n\n3\n IDRS business divisions are segments of IRS business organizations aligned to facilitate monitoring of taxpayer\naccount accesses.\n                                                                                                                   2\n\x0c                 Progress Has Been Made, but Additional Steps Are Needed to\n                         Ensure Taxpayer Accounts Are Monitored to\n                          Detect Unauthorized Employee Accesses\n\n\nCybersecurity organization believed action was no longer needed when the national average of\ncertification rates improved.\n\nRecommendations\nWe recommended that the Associate Chief Information Officer, Cybersecurity, 1) implement\ncompliance review procedures for IDRS security officers that are designed to monitor and\nenforce IDRS business division compliance with security report responsibilities, 2) clarify what\nlevel of IRS organizational management should be assigned the responsibility for providing a\nresponse identifying corrective actions that are required for certification rates lower than\n90 percent, 3) biannually provide a list of IDRS managers who have not met their IDRS security\nreport responsibilities to the IRS business organization executive responsible for monitoring and\nenforcing IDRS business division and manager compliance with IDRS security program policy,\nand 4) complete plans to implement an enhancement in the IORS system to capture responses for\nIDRS business divisions when corrective actions are required for noncompliance.\nThe Deputy Commissioner for Operations Support and the Deputy Commissioner for Services\nand Enforcement should ensure IRS business organizations identify the executives responsible\nfor monitoring and enforcing IDRS business division compliance with IDRS security program\npolicy and providing a response identifying corrective actions for certification rates lower than\n90 percent.\n\nResponse\nIRS management agreed with the recommendations. The Associate Chief Information Officer,\nCybersecurity, will 1) develop and implement compliance review procedures for IDRS security\nofficers, 2) clarify the responsible level among IRS organizational management for submitting\nresponses when certification rates are lower than 90 percent, 3) provide, at least biannually, IRS\nbusiness organization executives responsible for monitoring and enforcing IDRS security\ncompliance with a list of IDRS managers who have not met their IDRS security report\nresponsibilities, and 4) implement an enhancement in the IORS system to capture responses for\nIDRS business divisions when corrective actions are required for noncompliance. In addition,\nthe Deputy Commissioner for Operations Support and the Deputy Commissioner for Services\nand Enforcement will issue a jointly signed memorandum reiterating IDRS security program\npolicy requirements and will identify executives responsible for lower compliance rates.\nManagement\xe2\x80\x99s complete response to the draft report is included as Appendix V.\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\nAssistant Inspector General for Audit (Security and Information Technology Services), at\n(202) 622-8510.\n\n                                                                                                     3\n\x0c                        Progress Has Been Made, but Additional Steps Are Needed to\n                                Ensure Taxpayer Accounts Are Monitored to\n                                 Detect Unauthorized Employee Accesses\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 4\n          Security Report Certification and Timeliness Rates Have Significantly\n          Improved .......................................................................................................Page 4\n          Not All IDRS Business Divisions Are Complying With Requirements for\n          Reviewing Security Reports to Protect Against Unauthorized Employee\n          Accesses to Taxpayer Accounts....................................................................Page 6\n                    Recommendations 1 through 3:.........................................Page 9\n\n                    Recommendations 4 and 5: ..............................................Page 10\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology.......................Page 11\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 13\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 14\n          Appendix IV \xe2\x80\x93 IDRS Business Division Security Report Certification\n          and Timeliness Rates for Fiscal Year 2008 ..................................................Page 15\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report .......................Page 20\n\x0c       Progress Has Been Made, but Additional Steps Are Needed to\n               Ensure Taxpayer Accounts Are Monitored to\n                Detect Unauthorized Employee Accesses\n\n\n\n\n                     Abbreviations\n\nIDRS           Integrated Data Retrieval System\nIORS           IDRS Online Reports Services\nIRS            Internal Revenue Service\n\x0c                     Progress Has Been Made, but Additional Steps Are Needed to\n                             Ensure Taxpayer Accounts Are Monitored to\n                              Detect Unauthorized Employee Accesses\n\n\n\n\n                                              Background\n\nThe Taxpayer Browsing Protection Act of 1997 1 made it a criminal offense to access or inspect\ntax information without proper authorization. This legislation was essentially focused on the\nInternal Revenue Service (IRS) to ensure its employees access taxpayer data only for official\npurposes. One of the primary systems used by IRS\nemployees to research and update taxpayer data is the\n                                                               It is a Federal crime for IRS\nIntegrated Data Retrieval System (IDRS). The IDRS          employees to willfully access and\nis a mission-critical system that contains sensitive        view taxpayer accounts for other\ninformation such as taxpayers\xe2\x80\x99 names, Social Security      than tax administration purposes.\nNumbers, birth dates, addresses, filing statuses,\nexemptions, and income.\nBecause of the sensitive nature of its data, the IDRS routinely generates audit trail 2 information\nthat can be used to detect potential unauthorized accesses to taxpayer accounts. The IRS refers\nto the unauthorized access of taxpayer information as \xe2\x80\x9cUNAX\xe2\x80\x9d and requires yearly training to be\ngiven to all employees to protect against it. Despite the training and existing security policies,\nUNAX violations continue to be an issue at the IRS. An internal IRS study reported that\n1,191 UNAX cases had been processed by the IRS and the Treasury Inspector General for Tax\nAdministration from Fiscal Year 2004 to Fiscal Year 2007.\nPrior to November 2003, IDRS security staffs and managers of IDRS users received IDRS audit\ntrail information in computer-generated paper reports. To reduce the costs of printing and\ndistributing these reports and to improve the effectiveness of reporting results of management\nreviews, the IRS deployed the IDRS Online Reports Services (IORS) system, which is a\nweb-based application that makes IDRS security reports available electronically to authorized\nreviewers.\nThe IORS system notifies managers of IDRS users by email when IDRS security reports are\navailable and when responses to reports are due. Managers of IDRS users are required to review\nand certify the following security reports on a regular basis to determine that IDRS users are\naccessing the IDRS for valid work requirements:\n    \xe2\x80\xa2    Sensitive Access Report \xe2\x80\x93 Issued weekly, this report identifies IRS employees who have\n         accessed another employee\xe2\x80\x99s or an employee\xe2\x80\x99s spouse\xe2\x80\x99s tax account.\n\n\n\n1\n 26 U.S.C.A. Sections 7213, 7213A, 7431 (West Supp. 2003).\n2\n An audit trail is a chronological record of system activities that allows for the reconstruction, review, and\nexamination of a transaction from inception to final results.\n                                                                                                                 Page 1\n\x0c                    Progress Has Been Made, but Additional Steps Are Needed to\n                            Ensure Taxpayer Accounts Are Monitored to\n                             Detect Unauthorized Employee Accesses\n\n\n\n    \xe2\x80\xa2   Security Violations Report \xe2\x80\x93 Issued weekly, this report identifies attempted user\n        transactions that violated specific IDRS security rules.\n    \xe2\x80\xa2   IDRS Security Profile Report \xe2\x80\x93 Issued monthly and quarterly, this report identifies\n        employees\xe2\x80\x99 IDRS capabilities.\nThe IRS Cybersecurity organization is responsible for overseeing compliance with the IORS\nsystem and has direct responsibility over IDRS Security Program staffs located in the IRS\ncampuses. 3 IRS business organizations 4 are responsible for ensuring their IDRS managers\ncomply with IORS system procedures, investigate potential security violations, and take\nappropriate corrective actions.\nIn a July 2006 audit report 5 on the IRS\xe2\x80\x99 use of the IORS system, we reported that a majority of\nIDRS managers were not reviewing or certifying IDRS security reports produced by the IORS\nsystem. The IRS Cybersecurity organization and IRS business organizations had not sufficiently\nemphasized the need for their IDRS managers to review the IDRS security reports produced by\nthe IORS system. In addition, IDRS managers were not held accountable for reviewing the\nIDRS security reports on a regular basis and the level of emphasis varied among the data security\nstaffs located at the IRS campuses. Further, systemic problems with the IORS system\ncontributed to the low compliance levels. We recommended that the Associate Chief\nInformation Officer, Cybersecurity:\n    \xe2\x80\xa2   Coordinate with the IRS business organizations and place emphasis on the review of\n        electronic IDRS security reports using the IORS system.\n    \xe2\x80\xa2   Conduct periodic compliance reviews to ensure IDRS business units6 carry out their roles\n        and responsibilities to review IDRS security reports.\n    \xe2\x80\xa2   Hire a new contractor to complete development of the next version of the IORS system.\n        The systemic weaknesses with the system should be prioritized and addressed within a\n        reasonable time period.\n\n\n\n\n3\n  The data processing arm of the IRS. The campuses process paper and electronic submissions, correct errors, and\nforward data to the Computing Centers for analysis and posting to taxpayer accounts.\n4\n  IRS business organizations include the Criminal Investigation, Large and Mid-Size Business,\nSmall Business/Self-Employed, Tax Exempt and Government Entities, and Wage and Investment Divisions; the\nOffices of Appeals and Chief Counsel; the Taxpayer Advocate Service; and the Agency-Wide Shared Services and\nCommunications and Liaison functions.\n5\n  Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\nEmployee Accesses (Reference Number 2006-20-111, dated July 24, 2006).\n6\n  IDRS business units are segments of IRS business organizations aligned to facilitate monitoring of taxpayer\naccount accesses.\n                                                                                                          Page 2\n\x0c                 Progress Has Been Made, but Additional Steps Are Needed to\n                         Ensure Taxpayer Accounts Are Monitored to\n                          Detect Unauthorized Employee Accesses\n\n\n\nWe also recommended that the Deputy Commissioner for Operations Support and the Deputy\nCommissioner for Services and Enforcement:\n   \xe2\x80\xa2   Ensure managers\xe2\x80\x99 operational review requirements are updated to include a step to\n       validate that all IORS system-related reports are certified in a timely manner and to hold\n       the managers accountable for meeting their security-related responsibilities.\nThis review was performed at the Cybersecurity organization office in New Carrollton,\nMaryland, during the period October 2008 through February 2009. We conducted this\nperformance audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit objectives. We\nbelieve that the evidence obtained provides a reasonable basis for our findings and conclusions\nbased on our audit objectives. Detailed information on our audit objectives, scope, and\nmethodology is presented in Appendix I. Major contributors to the report are listed in\nAppendix II.\n\n\n\n\n                                                                                            Page 3\n\x0c                     Progress Has Been Made, but Additional Steps Are Needed to\n                             Ensure Taxpayer Accounts Are Monitored to\n                              Detect Unauthorized Employee Accesses\n\n\n\n\n                                      Results of Review\n\nSecurity Report Certification and Timeliness Rates Have Significantly\nImproved\nAbout 50,000 IRS employees access the IDRS to process taxpayer data during the course of their\nnormal work duties. For monitoring accesses to taxpayer accounts, IRS business organizations\nare segmented into field or campus units called IDRS business divisions. IDRS users are\norganized into IDRS units within the IDRS business divisions. Currently, the IRS has\nestablished 65 IDRS business divisions that oversee a total of 5,667 IDRS units. 7 IRS business\norganizations are required to appoint managers responsible for timely reviewing and certifying\nIDRS security reports for employees in their IDRS units, and identify a point of contact for\ncoordinating overall IDRS security activities for each IDRS business division. For the purpose\nof monitoring the review and certification of IDRS security reports, the IRS further grouped\nIDRS business divisions by the 10 IRS campuses. IDRS security officers from the Cybersecurity\norganization are located at each of the 10 campuses to oversee and monitor the IDRS business\ndivisions affiliated with their campus.\nThe IRS requires that managers of IDRS units maintain at least a 90 percent certification rate for\ntheir IDRS security reports. In addition, managers must certify weekly IDRS security reports\nwithin 14 calendar days and monthly IDRS security reports within 28 calendar days for the\ncertifications to be considered as timely.\nDuring this review, we found that the national averages of certification and timeliness rates for\nIDRS security reports have significantly improved since our last review. Figure 1 presents a\ncomparison of the average certification and timeliness rates for the 10 campuses for Fiscal\nYear 2005 that were compiled by the Cybersecurity organization IDRS Security Program staff\nduring our prior review, and the average rates for the 10 campuses for Fiscal Year 2008\ncompiled by the Cybersecurity organization IDRS Security Program staff during this review.\n\n\n\n\n7\n Although not part of the IRS, the Treasury Inspector General for Tax Administration is included as 1 of the\n65 IDRS business units because its employees may require access to the IDRS as part of their job responsibilities.\n                                                                                                             Page 4\n\x0c                   Progress Has Been Made, but Additional Steps Are Needed to\n                           Ensure Taxpayer Accounts Are Monitored to\n                            Detect Unauthorized Employee Accesses\n\n\n\n       Figure 1: IRS Campus Security Report Certification and Timeliness Rates\n                                    Certification Rate                       Timeliness Rate\n        IRS Campus             Fiscal Year         Fiscal Year         Fiscal Year         Fiscal Year\n                                  2005                2008                2005                2008\n   1. Andover                       80%                 90%                61%                 78%\n   2. Atlanta                       41%                 73%                26%                 60%\n   3. Austin                        16%                 74%                 9%                 63%\n   4. Brookhaven                    88%                 98%                68%                 92%\n   5. Cincinnati                    40%                 85%                23%                 69%\n   6. Fresno                        42%                 94%                26%                 82%\n   7. Kansas City                   59%                 91%                35%                 80%\n   8. Memphis                       33%                 94%                19%                 83%\n   9. Ogden                         78%                 97%                55%                 87%\n   10. Philadelphia                 38%                 87%                26%                 72%\n   Averages                         54%                 89%                37%                 77%\n   Source: Cybersecurity organization IDRS Security Program staff. Data were extracted using queries of the\n   IORS system.\n\nWe attribute the improvements in the certification and timeliness rates to corrections and\nenhancements made by the IRS to the IORS system. In response to our prior review\nrecommendations, the IDRS Security Program staff corrected IORS system problems that had\nhindered IDRS managers\xe2\x80\x99 ability to access IDRS security reports and were contributing to low\ncertification and timeliness rates. In addition, the IDRS Security Program staff implemented\nsystem enhancements that further improved IDRS managers\xe2\x80\x99 compliance with completing their\nsecurity report requirements, including:\n   \xe2\x80\xa2     Automatic email messages to remind IDRS managers that certifications are due.\n   \xe2\x80\xa2     A \xe2\x80\x9creport certification due\xe2\x80\x9d box on IORS system report screens that displays any reports\n         that have not been certified and highlights past due reports in red.\n   \xe2\x80\xa2     Actions and Certifications Detailed Reports that list which IDRS managers have and have\n         not completed certifications. Campus security officers use this information to send\n         weekly notifications to IDRS business unit points of contact for distribution to the\n         appropriate IDRS managers who need to complete certifications.\n\n\n\n\n                                                                                                       Page 5\n\x0c                  Progress Has Been Made, but Additional Steps Are Needed to\n                          Ensure Taxpayer Accounts Are Monitored to\n                           Detect Unauthorized Employee Accesses\n\n\n\nNot All IDRS Business Divisions Are Complying With Requirements\nfor Reviewing Security Reports to Protect Against Unauthorized\nEmployee Accesses to Taxpayer Accounts\nWhile the national averages of certification and timeliness rates for IDRS security reports has\nsignificantly improved, with the certification compliance\nrate getting close to the 90 percent, more needs to be\ndone to ensure that all taxpayer accounts are protected              In Fiscal Year 2008,\n                                                              36,493 security reports were not\nfrom unauthorized access. The rates for some of the                reviewed and certified,\nindividual IDRS business divisions did not meet the             potentially allowing improper\ncertification and timeliness requirements. Of the total        access to taxpayer accounts to\n325,475 security reports requiring certification by IDRS                go undetected.\nmanagers in Fiscal Year 2008, 36,493 (11 percent) were\nnot reviewed and certified, potentially allowing\nimproper accesses to taxpayer accounts to go undetected. Further analysis of the 36,493 reports\nidentified that 32 of the 65 IDRS business divisions had certification rates that were lower than\n90 percent for Fiscal Year 2008. The lack of reviews for 31,980 of these 36,493 reports can be\nattributed to 816 IDRS managers who had not met the 90 percent certification rate requirement,\nwhich equates to 32.7 percent of all IDRS managers. Fifty-seven of the 65 IDRS business\ndivisions had at least 1 IDRS manager who did not meet the 90 percent certification rate\nrequirement. Appendix IV presents the certification and timeliness rates for all 65 IDRS\nbusiness divisions for Fiscal Year 2008.\n\nEffective compliance reviews were not implemented\nIRS policy requires executives of business organizations with IDRS business divisions that do\nnot have at least a 90 percent certification rate for their IDRS security reports to provide to the\nIDRS Security Program staff within 14 calendar days a response that identifies the nature and\ndate of the actions to be taken to correct any deficiencies associated with the review and\ncertification of security reports.\nBased on the low certification and timeliness rates found during our prior review, we\nrecommended that the IRS conduct periodic compliance reviews to ensure IDRS business\ndivisions carried out their IDRS security report responsibilities. During this review, we found\nthat the IRS had not yet implemented effective compliance reviews for monitoring IDRS\nbusiness division compliance with IDRS policy.\nThe IDRS Security Program staff had taken some steps to implement this recommendation. In\nApril 2006, they began to generate a quarterly report that listed the certification and timeliness\nrates for each of the 10 campuses. The staff shared this report with the IDRS Security Issues\nCommittee that included representatives from the various IRS business organizations. However,\nin mid-2007, the IDRS Security Program staff discontinued providing this quarterly report to the\n\n                                                                                               Page 6\n\x0c                 Progress Has Been Made, but Additional Steps Are Needed to\n                         Ensure Taxpayer Accounts Are Monitored to\n                          Detect Unauthorized Employee Accesses\n\n\n\ncampuses because it was not getting distributed further. The quarterly report was not effective\nfor informing IDRS business divisions of their certification and timeliness rates because the rates\nfor individual IDRS business divisions were rolled up to the campus level. In addition, the IDRS\nSecurity Issues Committee members were serving as liaisons for their business organizations and\nnot as monitors at the IDRS business division level.\nIn November 2006, the Memphis, Tennessee, Campus IDRS Security Program staff created draft\ncompliance review procedures, IORS Certification Standard Operating Procedures, for IDRS\nsecurity officers. These procedures instructed campus IDRS security officers to monitor report\ncertifications in the IORS system on a weekly basis and notify IDRS business divisions at their\ncampuses when report certifications become untimely. To perform this task, campus security\nofficers used the Actions and Certifications - Detailed Utility Report feature in the IORS system\nto determine which IDRS managers had completed certifications and which had not. The\nsecurity officers then emailed the reports to the IDRS business divisions\xe2\x80\x99 points of contact, who\nin turn distributed them to the appropriate IDRS managers who needed to complete\ncertifications. Although these procedures were never finalized or formally issued, we found that\nIDRS security officers were generally following them and emailed weekly reports to inform\nIDRS managers when certifications were overdue.\nHowever, the draft procedures did not instruct the IDRS security officers on what actions to take\nwhen IDRS managers did not complete their responsibilities. Also, the draft procedures did not\ninstruct IDRS security officers to monitor IDRS business division certification and timeliness\nrates to determine those that had a lower than a 90 percent certification rate that required a\nresponse identifying the corrective actions they would take to improve compliance. For the\n32 IDRS business divisions with certification rates lower than 90 percent, we found that none\nhad provided a response identifying corrective actions.\nThe IDRS Security Program staff had not completed actions to implement compliance review\nprocedures and was not enforcing the requirement for responses for IDRS business divisions\nwith a lower than 90 percent certification rate for the following reasons:\n   \xe2\x80\xa2   IRS business organizations had not identified executives to be responsible for providing\n       the response for certification rates lower than 90 percent.\n   \xe2\x80\xa2   IRS policy did not clarify what level of business organizational management should be\n       assigned the responsibility for providing the response when needed.\n   \xe2\x80\xa2   No mechanism existed to capture responses for noncompliant IDRS business divisions.\n       The IDRS Security staff advised us that they intend to implement a mechanism to capture\n       responses in the IORS system in December 2009.\n   \xe2\x80\xa2   The IRS had not implemented any disciplinary mechanisms to help the IDRS Security\n       Program staff enforce IDRS business division compliance with IDRS security reports\n       requirements.\n\n                                                                                            Page 7\n\x0c                    Progress Has Been Made, but Additional Steps Are Needed to\n                            Ensure Taxpayer Accounts Are Monitored to\n                             Detect Unauthorized Employee Accesses\n\n\n\nWhen IDRS managers do not complete certification of security reports in a timely manner, the\nIRS has no assurance that taxpayer accounts are being properly protected and potential\nunauthorized accesses to taxpayer data by employees are being identified.\n\nManager accountability was not implemented\nOur prior review found that IDRS managers were not being held accountable for their IDRS\nsecurity report responsibilities. We recommended that the IRS update the operational review\nrequirements for its managers to include a step to timely certify all IORS security reports and to\nhold managers accountable for meeting their security-related responsibilities.\nThe National Institute of Standards and Technology Special Publication 800-100 8 describes the\ninformation security governance practices that are critical for ensuring the security of enterprise\ninformation assets. One of these critical practices is that individuals who are responsible for\ninformation security within the agency should be held accountable for their actions or lack of\nactions.\nTo address our recommendation, in Fiscal Year 2007, the IRS updated the self-assessment 9 that\nmanagers complete annually to include a step for IDRS managers to certify that they have\ncompleted their IDRS security report reviews. While the self-assessment may increase\nawareness of their IDRS security report responsibilities, it does not hold IDRS managers\naccountable if they do not comply with them.\nThe IRS had also planned to issue a memorandum signed jointly by the Deputy Commissioner\nfor Operations Support and the Deputy Commissioner for Services and Enforcement to IRS\nCommissioners and Chiefs requiring that all IRS business organizations identify and enforce\ndisciplinary consequences for noncompliance with reviewing and certifying IDRS security\nreports. However, in June 2007, the IRS recorded an overall certification rate of 87 percent with\na timeliness rate of 73 percent (up from a certification rate of 54 percent with a timeliness rate of\n37 percent in Fiscal Year 2005). Based on the improvement in the national averages of\ncertification and timeliness rates, the IRS Cybersecurity organization determined that no further\naction was needed to address manager accountability. As a result, the aforementioned joint\nmemorandum was not issued. Consequently, the IRS did not identify or implement disciplinary\nconsequences for IDRS managers who do not complete review and certification of IDRS security\nreports in a timely manner.\nWhile certification and timeliness rates have improved, the rate of improvement has slowed. As\ndiscussed previously, 816 (32.7 percent) of IDRS managers did not meet the 90 percent\ncertification rate requirement for security reports in Fiscal Year 2008. This contributed to 32 of\n\n8\n  Information Security Handbook: A Guide for Managers, published October 2006.\n9\n  IRS managers annually complete the Self-Assessment Tool for Managers to provide operational review\ninformation pursuant to the Federal Managers\xe2\x80\x99 Financial Integrity Act of 1982, 31 U.S.C. Sections 1105, 1113, 3512\n(2000).\n                                                                                                          Page 8\n\x0c                 Progress Has Been Made, but Additional Steps Are Needed to\n                         Ensure Taxpayer Accounts Are Monitored to\n                          Detect Unauthorized Employee Accesses\n\n\n\n65 IDRS business divisions having certification rates lower than 90 percent in Fiscal Year 2008;\nhowever, none of the divisions had provided a response identifying corrective actions. IRS\nbusiness organizations had not identified executives to be responsible for monitoring and\nenforcing compliance with IDRS security policy and for providing the response identifying\ncorrective actions for certification rates lower than 90 percent.\nBecause the IORS system tracks certification and timeliness data, the IDRS Security Program\nstaff can generate a list of IDRS managers who have not met security report review requirements\nand provide this information to IRS business organizations to assist their monitoring and\nremediation of noncompliant IDRS managers. Strengthening IDRS managers\xe2\x80\x99 accountability for\ntimely certification of IORS system security reports will increase the number of IDRS managers\nreviewing and certifying IDRS security reports, which will provide assurance that employees are\naccessing IDRS tax data for official purposes.\n\nRecommendations\nThe Associate Chief Information Officer, Cybersecurity, should:\nRecommendation 1: Implement compliance review procedures for IDRS security officers\nthat are designed to monitor and enforce IDRS business division compliance with security report\nresponsibilities and ensure that responses are obtained when corrective actions are required for\nnoncompliance.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization has assembled a team to develop compliance review\n       procedures for IDRS security officers and will work with the IDRS business divisions to\n       finalize and implement these procedures.\nRecommendation 2: Clarify what level of IRS business organizational management should\nbe assigned the responsibility for providing a response identifying corrective actions that are\nrequired for certification rates lower than 90 percent.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization will work with the IDRS business divisions to clarify the\n       responsible level among IRS business organizational management and will update IRS\n       policy accordingly.\nRecommendation 3: Biannually provide a list of IDRS managers who have not met their\nIDRS security report responsibilities to the IRS business organization executive responsible for\nmonitoring and enforcing IDRS business division and manager compliance with IDRS security\nprogram policy.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization will, at least biannually, provide IRS business organization\n\n                                                                                           Page 9\n\x0c                 Progress Has Been Made, but Additional Steps Are Needed to\n                         Ensure Taxpayer Accounts Are Monitored to\n                          Detect Unauthorized Employee Accesses\n\n\n\n       executives responsible for monitoring and enforcing IDRS security program compliance\n       with a list of IDRS managers who have not met their IDRS security report\n       responsibilities.\nRecommendation 4: Complete plans to implement an enhancement in the IORS system to\ncapture responses for IDRS business divisions when corrective actions are required for\nnoncompliance.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization will implement an enhancement in the IORS system to\n       capture required responses from IDRS business division management and will update\n       IRS policy to require the use of this IORS enhancement.\nThe Deputy Commissioner for Operations Support and the Deputy Commissioner for Services\nand Enforcement should:\nRecommendation 5: Ensure IRS business organizations identify the executives responsible\nfor monitoring and enforcing IDRS business division compliance with IDRS security program\npolicy and providing a response identifying corrective actions for certification rates lower than\n90 percent.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. A meeting\n       will be held with IRS executive leadership to disseminate information on IRS\n       noncompliance with IDRS security program policy. Executives responsible for providing\n       a response when certification rates are lower than 90 percent will be identified. In\n       addition, a jointly signed memorandum from the Deputy Commissioner for Operations\n       Support and the Deputy Commissioner for Services and Enforcement will be issued to\n       division commissioners and functional chiefs reiterating the requirement to review and\n       certify IDRS security reports maintained in the IORS system.\n\n\n\n\n                                                                                           Page 10\n\x0c                   Progress Has Been Made, but Additional Steps Are Needed to\n                           Ensure Taxpayer Accounts Are Monitored to\n                            Detect Unauthorized Employee Accesses\n\n\n\n                                                                                             Appendix I\n\n        Detailed Objectives, Scope, and Methodology\n\nThe overall objectives of this review were to evaluate compliance by IRS management and\nsecurity staffs in reviewing and certifying IDRS 1 security reports, which are produced online by\nthe IORS system, and assess whether corrective actions taken to address our prior audit findings 2\nwere effective.\nTo accomplish our objectives, we:\nI.      Determined whether IRS business organizations are reviewing and certifying IDRS\n        security reports using the IORS system in compliance with Internal Revenue\n        Manual Section 10.8.34.\n        A. Determined how the Cybersecurity organization compiles and validates the accuracy\n           of the certification and timeliness rate information.\n        B. Obtained the most current quarterly certification rate information, including the\n           timeliness of the certifications, maintained by the IORS system and distributed\n           quarterly by the Cybersecurity organization to IRS business organizations.\n        C. Determined whether the Cybersecurity organization obtained written responses from\n           executives of business organizations with lower than a 90 percent certification rate in\n           accordance with IRS policy.\n        D. Determined whether other monitoring or reporting corrective actions had been taken\n           and whether they were effective.\nII.     Determined whether IRS business organization managers\xe2\x80\x99 operational review\n        requirements were updated to include a requirement for timely certification of IORS\n        system-related reports as well as consequences for noncompliance, in order to hold\n        managers accountable for meeting their security-related responsibilities.\nIII.    Determined whether the IORS system had been modified to address previously reported\n        systemic problems, including system access issues, software problems, and management\n        oversight issues.\n\n\n\n1\n  IRS computer system capable of retrieving or updating stored information; it works in conjunction with a\ntaxpayer\xe2\x80\x99s account records.\n2\n  Increased Managerial Attention Is Needed to Ensure Taxpayer Accounts Are Monitored to Detect Unauthorized\nEmployee Accesses (Reference Number 2006-20-111, dated July 24, 2006).\n                                                                                                     Page 11\n\x0c         Progress Has Been Made, but Additional Steps Are Needed to\n                 Ensure Taxpayer Accounts Are Monitored to\n                  Detect Unauthorized Employee Accesses\n\n\n\nA. Reviewed system change documentation to determine the corrections implemented\n   and interviewed the IORS Project Manager to determine whether any ongoing\n   problems were contributing to noncompliance in reviewing and certifying IORS\n   system security reports.\nB. Determined whether systemic corrective actions were effective in increasing\n   compliance with reviewing and certifying IORS system security reports by\n   interviewing IORS system users to solicit their opinions regarding the effectiveness\n   of systemic changes made since the time of our last audit.\n\n\n\n\n                                                                                 Page 12\n\x0c                Progress Has Been Made, but Additional Steps Are Needed to\n                        Ensure Taxpayer Accounts Are Monitored to\n                         Detect Unauthorized Employee Accesses\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services)\nKent Sagara, Acting Director\nCarol Taylor, Audit Manager\nJody Kitazono, Senior Auditor\nLouis Lee, Senior Auditor\n\n\n\n\n                                                                                       Page 13\n\x0c                Progress Has Been Made, but Additional Steps Are Needed to\n                        Ensure Taxpayer Accounts Are Monitored to\n                         Detect Unauthorized Employee Accesses\n\n\n\n                                                                     Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nChief Information Officer OS:CTO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nDirector, Cybersecurity Programs and Policies OS:CTO:C:PP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n       Chief Information Officer OS:CTO\n       Associate Chief Information Officer, Cybersecurity OS:CTO:C\n\n\n\n\n                                                                           Page 14\n\x0c\x0c\x0c\x0c\x0c\x0c    Progress Has Been Made, but Additional Steps Are Needed to\n            Ensure Taxpayer Accounts Are Monitored to\n             Detect Unauthorized Employee Accesses\n\n\n\n                                                    Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                          Page 20\n\x0cProgress Has Been Made, but Additional Steps Are Needed to\n        Ensure Taxpayer Accounts Are Monitored to\n         Detect Unauthorized Employee Accesses\n\n\n\n\n                                                      Page 21\n\x0cProgress Has Been Made, but Additional Steps Are Needed to\n        Ensure Taxpayer Accounts Are Monitored to\n         Detect Unauthorized Employee Accesses\n\n\n\n\n                                                      Page 22\n\x0cProgress Has Been Made, but Additional Steps Are Needed to\n        Ensure Taxpayer Accounts Are Monitored to\n         Detect Unauthorized Employee Accesses\n\n\n\n\n                                                      Page 23\n\x0c'